----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/54698/ -----------------------------------------------------------
(Updated Dec. 14, 2016, 1:30 p.m.) Review request for Ambari, Attila Doroszlai, Jaimin Jetly, Laszlo Puskas, Oliver Szabo, Robert Levas, and Sebastian Toader. Bugs: AMBARI-19187 https://issues.apache.org/jira/browse/AMBARI-19187 Repository: ambari Description ------- Hadoop components need to establish a secure connection with ZooKeeper when Kerberos is enabled. This involves the setup of the correct authentication (JAAS config file) and authorization (per-component Kerberos-backed ACLs on the znodes) between the service and ZooKeeper. Most services are able to set these ACLs based on their config when the user enable kerberos. When we disable kerberos again, the sasl ACL should be removed otherwise the services won't be able to access their znodes. This issue is about introducing a new command (DISABLE_SECURITY) that will be sent by the ambari server to the services upon the dekerberiztion process. When a service receives this command it will be able to do the zookeeper secure to unsecure migration process (e.g. removing sasl ACLs). Notable changes: - Added a java command line tool to the agent project that can setAcls recursively on a znode - Modified the dekerberization workflow: - 1. UI stops all services but zookeeper - 2. 2 new stages was introduced in the backend (send DISABLE_SECURITY command to the services, start zookeeper) Diffs (updated) ----- ambari-agent/pom.xml a8ed7f1 ambari-agent/src/main/java/org/apache/ambari/tools/zk/ZkAcl.java PRE-CREATION ambari-agent/src/main/java/org/apache/ambari/tools/zk/ZkConnection.java PRE-CREATION ambari-agent/src/main/java/org/apache/ambari/tools/zk/ZkMigrator.java PRE-CREATION ambari-agent/src/test/java/org/apache/ambari/tools/zk/ZkMigratorTest.java PRE-CREATION ambari-common/src/main/python/resource_management/core/resources/zkmigrator.py PRE-CREATION ambari-common/src/main/python/resource_management/libraries/script/script.py 584775e ambari-server/pom.xml 48ddb52 ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java 3261a56 ambari-server/src/main/java/org/apache/ambari/server/metadata/ActionMetadata.java 0064662 ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java 90f8098 ambari-web/app/controllers/main/admin/kerberos/disable_controller.js cec4503 Diff: https://reviews.apache.org/r/54698/diff/ Testing ------- Added unittests for ZkMigrator, KerberosHelperImpl Manual testings: - created cluster with ambari - enabled kerberos - disabled kerberos - checked if the DISABLE_SECURITY command was sent to the services Ambari agent: ---------------------------------------------------------------------- Ran 450 tests in 10.634s Ambari server: ---------------------------------------------------------------------- [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 34:44.448s [INFO] Finished at: Tue Dec 13 14:29:00 CET 2016 [INFO] Final Memory: 160M/798M Thanks, Attila Magyar